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In the Claims 

1. (Cuirently Amended) A cotnpnter-impkrticiited method tor gathering security 
event data and nsntlsring tesult data in a manageable format comprising the steps of: 

generating security event data coniuiisinp. a plurality of alerts with a plarality of 
security devit:iss at a flr^t location in res ponse to detecting a security event in a distrihulcd 
computin g environment; 

pnividing one or more variables operable for analyzing and filtering Qw. scxuirity 
event data, the variables com^sing at least one of « location of a security event, a source of 
sMXLirily evftnt, a destination address of the security event, a $ecurity event type, a pxiority of a 
security event, and an identification of a system tliat detected a security event; 

seating scope criteria by celecting one or more of the variables cipcmlile for 
analyzing and filtering Qje security event daiaT ^uu jocurity t fvpnt data oompriamg tho plu rality of 

collecting the security event JaU genei-atcd by the plurality of security devices 
located at the first location; 

storing the collected security event data at a second location; 

analyzing and filtering the collected security event data with the scope ciiteua to 
produce result data, 

transmitting the result data to one or more clients; and 

displaying the tbriiU da(a cDrriinising fikercd alerts based cn the scope cntcritL 

2. (OdginfiJ) Tlw method of Claim I, further comprising Storing one or more of the 
scope critma and the result data. 

3. (Original) The method of Claim 1, wherein thR first Incatiun is a distributed 
computing environment and the second location is a database server. 
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Applicalion No. 09/844,448 
(Original) The method of (JIaim 1, wherein collecting the >;w:ijriLy event data 

generating sccwity event data from a sen£X)r, 

sending the security event diiLa Htjiu tliie smisnr to a collector; and 

uonvftrting the event data to a common format. 



5. (Orlgmal) The method of Claim 1, wherein the analyzing i£ perfomed at au 
application server to which the plur-dity ofclicjits are couplcd. 

6. (Original) The method of Qaim 1, furilier comprising searching the stored 
saciirity cv^it data for additional information identifying a soctirity event 

7. (Original) The method of Claim I , furtier comprising: 
polling a database server for currerii KU)ral secmity event data; 

analyzing the current stored security event data to produce current result data; and 
rendering the cunent result data. 
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8. (Original) The method of Claim 1, foitber mmpnsing polling for messages 
containing infonnation about scope criteria, security event data, or rosult data. 

9. (Original) The method of Claim U further comprising jwifihing messages to a 
cliait wherein Ihe messages conlaiii iufoioiatjoii ahoiit scnpc criteria, security event data, or 
result data. 

10. (Original) The mcOiod of aaim 1, wherein the step of rendering result data 
<;Oxiipxj$(r:s pres^dting itie result data in a chart fonnat. 

11. (Original) The metlwid of Haini 1 , wherein in response to analyzing the coDoctcd 
security event data» an action is executed. 
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12. (Original) Tbr. metliod of Claim 11. wherein the action is clearing security cveiit 
dala jRoTn stoiage. 

13. (Original) The method of Claim 11, wherein the action Ls crealing an incident 
from result data for pnipariiig a ni'.s.ponsc. 

14. (Original) TTik TiidLJiud of Claim U wherein the step of collecting eecurity event 
data further cotnpriscs converting the data to a unifonn format. 

15. (Original) A cojnputer-readahle medium having computer-extsLuliil)le iiisUTictions 
for performing llic steps nccitcd tn Claim 1. 
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1 6. (Currcntiy Amended) A method for mana^g sft^nrity event data collected from a 
plurality of security devices in a distributed computing environmem comprising the slcp^; of: 

generating g^r. iirjty event data comprising a pliimlity of alerts with the plurality of 
security devices at a firsl !ix;aliou in response to d etect ing a security e vent in a distribulcti 
computing environm ent: 

providiug uue or more variables operable ibr analyzinfi and filtering the security 
event data, the variables comprieinA at least one of a location of a sccuiity event, a source of 
security event, a destbaiiou addresw of the security event, a security event type, a priority of a 
security event, and an identitication of a system that detected a security evenly 

creating wuipt: crilctia by selecting one or more of the variables operable for 
analyzing and tiltcrinfi the security event dai ai the socurily uv e ml cl^tft nomprifnug the p lurality of 
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result data; 



collectinR security event data at a second ]oc'-«J.uni; 

applying Ibe !i00[.w^ criteria to the security CVCnt data at a third location to produce 

Gransmitting the re-siiU ikui U) one or more clients; ai^ 

displaying the result data comprising filtered alerts based on the six»pe5 criteria. 



17. (Urifiinal) The method of Claim 16, further comprising rdndeiing the result in a 
rendering &r output to a cUenf. 

18. (Oritrhal) TIjc riietliod of Claim 16, wherein the first location is a distributed 
confuting environment. 

19. (Original) The method of Qaim 16, wherKin liic sccmid location is a database 

xerver. 

20. (Original) The method of Qaim 16, wherein the third location is an application 
server coupled to the plurality of cHenis, 
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21 . (Original) The method of Claim 16, furllicx ccuiiprising storing one or more of the 
scope criteria, the scciirily event data, and the result in a database 

22. (Origiiwl) The method of Claim 16. further comprising executing an action at the 
server in response to producing the result 

23. (Ungmaf) The method of Claim 22, wherein the aotiOTi is dcaririg stored security 
event data. 

24. (Oiigin;^!) The incthod of Claim 22, wherein the action ie creatinR an incident 
from a result. 

25. (OriKinJil) The method of Claim 16^ fixnher comprising applyiiig fidHitJoral scope 
criteria \o d pliuality of rcmhs. 

7A (Original) A computcr-readahlo medium having computer executable instnietions 
for perfoiminR the &top$ recited in Claim 16. 
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27. (Currently Amended) A compnter-implcinctited system for managing security 
event data collectetl Tmni d plm^ity of security devices comprising: 

a plurality of security devices operable £br gejiftrating security event data 
coniprisinti a plurality of alerts that are generated in resp onse t o detecting a security event in_a 
distribute d computing enviromnept; 

ail event manager coupled to the security devices, the event manager operable for 
collecting the security event data from the security devices and analyring and iiltcimg the 
sccuril}* cvftut <1ata with scope criteria eompnsing one or more defiiiable dofinoabl g variables 
operable for analyzing ajil fihering the security event dat<i, rhe variahlcN comprising at least one 
oPa ItHjaiiuTi of a security event a source ofsecunty event, a destination address of the security 
event, a security event type, a priority of a security tiveiit^ and an identification of a system that 
Actcctisd a security evrat and applying the scope criteria to the security event data lo piuduue 
result data; and 

one or more clients coupled to the event manager operable to perform an action in 
xespottse to receiving analyzed security event data Ih>m tlic; eveait manager and displaying the 
result data comprising tiltcrcd alcits based on the scope criteria. 

28. ff^reviously Amended) The system of Claim 27, wherein the event manager 
comprises a database server operable for storing the colliv^ti^H security event data and the 
analyzed seeunty event data. 

2'A (Original) The system of Qaim 27, wherein die event manager comprises an 
applicaliun scrvtx upfxabla Jbi c^e-.nlin^, »n inrJdent from the .security event data for preparing a 
response. 

30, (Original) The system of Claim 27, wherein the security devices are coupled xo a 
distributed computing networic. 
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3L (Orijpnal) Tlir. systxrm of Claim 27, wherein multiple clients operable for 
rc3cci\ing analyzed security data are coupled to the event manager. 

32, (OrigvnaT) The method of Claim 27, wherein the acliuii pex fnrmcd by the client is 
rendering a chart coiilaiiiiag analyzed security event data. 

33. (Original) Tlic rnetliod of Claim 1, fiuthcr comprising the step of rendering the 
result data in a manngeoble format for the plurab'ty of clients. 
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34. (Currently AmcmldJ) A romputcr-implcmcntcd method tbr galheriiifi security 
cvciil data and rcndcrmg result data in a manageable format comprising the sit:ps of: 

generating security event lUta CA-imnrisine a phirahty of alerts with a plurality of 
security devices at a first location in res ponse to detectinfi a securilv ev ent in a distributed 
corapUTtng environment; 

providing one ormoi^ variables operable for analyzing and filterinjj llic scuntity 
event data, the variables comprising at least one of a location of a security event, a source of 
security event, a destination address of the Esecurity event, a security event type, ^ prioriiy uf a 
security event, and an idculiXIc.ali(^»> nf a system that detected a security event; 

creating scope criteria by selecting otie or more of the v^rialilcs Dptsiable for 
analy7.injj Am\ (llicring the security event dat a> tho ooourity Cfsmt data com prising t ho plurality of 

cuUdctiug th.ft security event data at a second location; 
onolyzmg and fiitesrinR fte collected security event data with the scopR criiitria at a 
third location to pnKlucc rcsiult data, 

transmitting the result data to one or more clients; and 

rcfidcriTig the result data, in a manageable fonnat tor the one or more clients. 



35. (Original) The method of Claim 34, further eompnsing storing one or more of the 
scope mtenOy the security event data, and the result data. 

36- (Original) The method of Claim 34, wherein the first location is a dislributctl 
computing environmoit, the second location is a databoae server, and the third location is an 
application server to which the plurality of clicalsj arc coupled. 

37. (Original) The method of Claim 34, further comprising ecHfjn^j rhK .si^ipc mtcria. 

38. (Original) The meiliod of Cl«iiu 34, [inMm comprising onnvcrting tlie collected 
security event data to a common fonnat. 
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39. (Origraal) The ludhoH of Claim 35, further comprising searching the stored 
security event data for additional inibrmation identifying a security event. 

40. (Original) The method of Claim 35>, further comprising: 
polling a database server Tor imrrciiL stored security event data; 

analyzing the current stored security event data to pn>duce current result datsi; and 
rendering ihe cuixcnl result data. 

41. (Original) The mclliod of Claim ^4, further comprising polhng for messages 
containing infonrtation about scope cntena, security event data, or result data. 

42. (Origmal) f he method of Claim 34» further comprising pushing messages to a 
client wherein the messages contain infbrmHtinn »b<iiiL scope criteria, security event data, or 
result data. 

43. (Original) The method of Claim wherein the step of rendering the result data 
compn&es {resenting the result data in a chart fcumiit. 

44. (Original) The method of Qaim 34, wherein h\ response li) analyzing the 
collected security cvcjii data» an action is executed. 

45. (Original) The method of Claim 44, wherein the action is clearing security event 
data £ruin sU3nige. 

46 (Original) The melhcMl of Clnim 44, wherein die action In cieatiiig aji incident 
ftom result data for preparing a response. 
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47. (Original) The method of Claim 34, wherein tlu? step of collecting security event 
data further uoiuprisfts converting the data to a uniform tbnnat 
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48. (Original) A computer-readable medium having computer-executable infitnictions 
for performing the steps recited in Claim 34. 
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49. (Cmiftiitly Amended) A method for managing security event data collected from a 
plurality of security devices in a distributed computing environmeni. wnnjirisiiig the steps of; 

liCTicratiiig security event data with a plurality of security devices in response to 
dete cting Q security event in a distributed computintf «;nviruiimeat. the security event data 
wmprising a plurality of alerts; 

transferring the security event data for storage in a dnlnbasK; 

Hpplyiiig a scope criteria comprising one or more definable dofinoabl e variables to 
the security event data for analyzinR and fihering the security event data lo produce a lesult tlie 
variHblisJs i^niprising at least one of a location of a security events a source of security event, a 
destination address of the security event, a security event type, a priority tifa .scLiirily csvciil, and 
an identificalian of a system that detected a scctmty event; 

accessing the result with one or more clients coupled lo an ?ipplicartinn server; and 

diisplaying the resuh data comprisitig filtered alerts based on the scope criteria. 

50. (Original) The method of Claim 49^ farther comprising rendering the result in a 
rendering;; for output to the clients. 

51. (Qrigmal) The method of Claim 49, further comprising the step of creeling the 
scope criteria for filtering the security event data. 

52. (Original) The method of Claim 49> further compriatng the step of editing the 
scope criteria. 

53. (Ori^nal) The method of Claim 49, further camprisinu converting ihK swniriLy 
event data to a unitbrm tbtmat 

54. (Originfll) The method of Claim 49, further comprising storing one or more of the 
scope rrilRri«, Hjr security event data, and fhe result in a dat;ib»-SB. 
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55. (Original) The method of Claim 49, wherein m rcsp<.uisft tn prnducing a r&sult, an 
acdou is i^Xftmited. 

.Sfi. (Oi iglual) The method of Claim 55, whcrcm the action is clearing Etored security 
event dato- 

57. (Orij^inar) Tlxe method of Gaira 55, wherein the action is cTCsiling ari iiiLident 

58. (Original) 'lliC method of Claim 49, further comprising applying additional scope 
criteria to a plurality of results. 

59. (Original) A c^puter-readable TDertinin hnving anniJutcr-execQlable instructions 
for pcrfonning the stqps recited in (Jlaim 4y . 



[The Remainder uf this pajge has been iuleutionaDy left hlanlc.] 



-13- 



PAG£ip*RCVDAT»2l/2006 2:02:31 PMpstem 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 



Defective images within this document are accurate representations of the original 
documents submitted by the appHcant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SIDES 

□ FADED TEXT OR DRAWING 

□ BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SeAtEDOCUMENTS 



ta LINES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: 



IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



BEST AVAILABLE IMAGES 




